This course explains how to use the Istio ServiceMesh for routing and managing and network traffic, enforce security and how to observe telemetry.
Introduction
- Introduction to a Service Mesh
- Introduce/recap Micro-services Architecture (MSA ) patterns (in particular the sidecar)
- Discuss challenges in a service mesh
- Understand the differences between an Enterprise Service Bus (ESB) and a Service Mesh
- Introduce Istio
- High-level architecture of Istio
- Components of the data plane and control plane
- Introduce the Envoy project and its use in Istio
- Brief overview of installation and configuration techniques (e.g., Istioctl, Helm)
- Install Istio using Istioctl
Traffic Management
- Overview of traffic management with Istio
- Controlling Ingress and Egress traffic
- Configuring Gateways
- Defining Virtual Services
- Understand host and destination bindings
- Controlling HTTP traffic (matching, rewriting, redirecting, …)
- Testing resilience by using declarative faults
- Using Destination rules
- Flowing traffic to different versions (subsets)
- Managing versions using mirroring
- Explicitly adding Service Entries for outside traffic
- Resilience service with Circuit Breakers
Security
- Understand the need for declarative security
- List security tasks (identity, message privacy, message integrity, non-repudiation)
- Understand Istio identity (users, services)
- Add end-user authentication using JWT
- Apply Mutual TLS (mTLS) for inter-service authentication
- Managing certificates
- mTLS Migration techniques
- Using namespaces and label selectors to enforce policies
- Define HTTP-based access-control
- Using JWT to define end-user/external client access control
Telemetry
- Overview of Istio's Observability options
- Using Envoy's access logs
- Introduce Metrics
- Understand the different levels of metrics gathering (Envoy, Service and control plane)
- Configuring service-level metrics
- Using Prometheus and Grafana for metric visualisation
- Trace request traffic through your mesh (Distributed traces)
- Using Jaeger as a trace-backend (discuss other options)